[saag] Fwd: [POSH] PKIX Over Secure HTTP (POSH)
Peter Saint-Andre <stpeter@stpeter.im> Tue, 04 June 2013 23:29 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2163D21F99F0; Tue, 4 Jun 2013 16:29:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xvMJpDWRsl0p; Tue, 4 Jun 2013 16:29:28 -0700 (PDT)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 5D5C121F992A; Tue, 4 Jun 2013 16:29:25 -0700 (PDT)
Received: from ergon.local (unknown [71.237.13.154]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 0B90741240; Tue, 4 Jun 2013 17:42:13 -0600 (MDT)
Message-ID: <51AE783F.5060204@stpeter.im>
Date: Tue, 04 Jun 2013 17:29:03 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: saag@ietf.org, "apps-discuss@ietf.org" <apps-discuss@ietf.org>
References: <51AE771F.6080005@stpeter.im>
In-Reply-To: <51AE771F.6080005@stpeter.im>
X-Enigmail-Version: 1.5.1
X-Forwarded-Message-Id: <51AE771F.6080005@stpeter.im>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: [saag] Fwd: [POSH] PKIX Over Secure HTTP (POSH)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jun 2013 23:29:33 -0000
FYI. -------- Original Message -------- Subject: [POSH] PKIX Over Secure HTTP (POSH) Date: Tue, 04 Jun 2013 17:24:15 -0600 From: Peter Saint-Andre <stpeter@stpeter.im> To: posh@ietf.org Matt Miller and I have been working on a specification for "PKIX Over Secure HTTP" (POSH), which aims to make it easier to ensure proper TLS server identity checking in multi-tenanted environments (where it's basically impossible right now): https://datatracker.ietf.org/doc/draft-miller-posh/ As the abstract says: This document defines two methods that make it easier to deploy certificates for proper server identity checking in application protocols. The first method enables a TLS client to obtain a TLS server's end-entity certificate over secure HTTP as an alternative to standard Public Key Infrastructure using X.509 (PKIX) and DNS-Based Authentication of Named Entities (DANE). The second method enables a source domain to securely delegate an application to a derived domain using HTTPS redirects. We love PKIX (really!), we love DNSSEC, and we love DANE (which solves some of the same problems for some application protocols as POSH does). However, we want a technology that can be deployed more quickly than DANE in order to solve pressing operational security issues with standard PKIX in multi-tenanted environments. This effort emerged from the XMPP community, but we have heard from folks working on other application technologies that it might be useful for things like IMAP and SMTP, thus the more generalized version of POSH that we published today (superseding draft-miller-xmpp-posh-prooftype). We are planning to hold a BoF on this topic in Berlin, but in the meantime comments are very much welcome. Please post your feedback to the new posh@ietf.org list: https://www.ietf.org/mailman/listinfo/posh Thanks! Peter _______________________________________________ posh mailing list posh@ietf.org https://www.ietf.org/mailman/listinfo/posh
- [saag] Fwd: [POSH] PKIX Over Secure HTTP (POSH) Peter Saint-Andre